User Added as Owner for Azure Service Principal | Elastic Security Solution [7.10]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« User Added as Owner for Azure Application User Discovery via Whoami »

User Added as Owner for Azure Service Principaledit

Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.

Rule type: query

Rule indices:

filebeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

Tags:

Elastic
Cloud
Azure
Continuous Monitoring
SecOps
Configuration Audit

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Investigation guideedit

The Azure Filebeat module must be enabled to use this rule.

Rule queryedit

event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add
owner to service principal" and event.outcome:Success

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/

« User Added as Owner for Azure Application User Discovery via Whoami »